TL;DR: An analysis of 28 debloated images reveals that these images contain, on average, 33 CVEs, a mean reduction of 64 percent compared to the baseline. [If this was a grade-school test, that would be a solid D.]
While the minimal method pursues security from the ground up, a second method takes the opposite approach. Image “debloating” reduces CVEs by removing unessential components from a preexisting (or “baseline”) image. When expendable components are removed, the CVEs associated with these components are also removed. The question is: Can debloated containers pass the zero CVE challenge, achieving zero or near-zero CVEs?
The key findings are:
- Debloated containers fail the zero CVE test. While debloated containers had 64% less CVEs than baseline images, these images still contained, on average, 33 CVEs.
- Many debloated containers had lingering “high” and “critical” vulnerabilities. The average severe high and critical vulnerability count in debloated containers was five.
First, this blog post defines and explains container debloating. After explaining data collection, the post analyzes debloated containers and their ability to pass the zero CVE test.
What is container debloating?
Debloating is the process of removing extraneous image components that go unused at runtime. This stands in contrast to Wolfi-based images, where the goal is to exclude such components in the first place. RapidFort’s technology, which produced the debloated images used in this comparison, operates in three steps:
Step 1: Select an image to harden.
The user selects an image to harden, ranging from a simple curl installation based on Alpine to a fully-featured PostgreSQL installation running on top of Debian.
Step 2: Generate and run a “stub” container.
To identify the extraneous contents of an image, the tool duplicates the image, called the stub, and sideloads runtime analysis tooling. The user runs the stub to execute tooling and application test cases and components are recorded as they are accessed.
Step 3: Trim the fat.
Finally, the information from step 2 is used to remove any unused components from the original image. The result should be more lightweight and less vulnerable.
Do Debloated Containers Pass the Zero CVE Test?
On average, debloated images reduced the original CVE count by 64 percent. The mean number of CVEs was still 33. Chainguard images reduced the baseline by, on average, 99 percent and had a mean CVE count of nearly zero.
Not all vulnerabilities are equally concerning, though. Security teams, when faced with hundreds to thousands of CVEs to remediate, often focus on only the most severe CVEs, those with either a “high” or “critical” severity according to CVSS. Figure 2 shows the totals for only these severe CVEs. On average, debloated images contained five.
Final Thoughts: How close do debloated containers come to passing the zero CVE test?
The debloated images, on average, contained 33 CVEs. This was a reduction of 64 percent compared to the baseline images. Chainguard images, by comparison, had an average of 0.1 CVEs for a 99 percent mean reduction compared to the baseline images. The same results hold when examining the reduction in high and critical CVEs.